Saturday, October 27, 2007

Victims of email backscatter unite!

Currently I receive close to 500 backscattered messages per day at one of my email addresses. Some spammers must be really pissed off at me, or maybe my alias is a good one to use because it's on a common email alias provider. Anyway, I decided it's time to do something about it, if possible.

First, you may be asking what's a backscattered message? It's a "bounce" email that arrives in your in-box, that usually has a subject of "Delivery notification: delivery has failed", "Deliver status notification", "failure notice", etc. The messages typically originate from "Mailer daemon", "postmaster", or "Mail delivery subsystem". Backscatter are messages that tell you about problems with messages you did not send.

Huh? This is weird... What's up with that? Well, you get backscattered messages because of two problems:

  1. a spammer has forged your email address in the "From:" field of the spam she sent;
  2. some email server has received that spam, and for some reason decided to reply to the forged email address (yours), probably to tell you:
    • it couldn't be delivered because the destination address was not valid, the user's mailbox was full, etc.;
    • the user is on vacation (vacation auto-responder);
    • the message contained a virus and was blocked;
    • the message was detected as spam and blocked.

The last two reasons are particularly incredible. If the mail server is smart enough to determine a message was a virus or spam, then it should know darn well that replying to its "From:" address makes no sense because -- guess what -- spammers/viruses nearly always forge the "From:" address!

The following image shows the anatomy of email backscatter. Click on it to see a bigger version.

Anatomy of email backscatter

The bad news is, you won't be able to stop spammers from forging your email address (problem #1 above). But there is some good news -- you may be able to do something about the servers that bounce messages (they create the backscatter messages, problem #2). Did you know that AOL, Hotmail, Yahoo, Gmail, etc. are examples of email services that do NOT create backscatter? This is because they are well administered and their email servers are correctly configured.

Sadly, there are too many email servers on the Internet today that create backscatter. See the links about backscatter on the side menu of this blog for information about the technical details. One of the worst offenders is the Barracuda Spam Firewall. I get sometimes 15 of their bounces per day, telling me the "Message you sent was blocked by our bulk email filter". Their software accuse me of sending spams, because the designer of the software made a mistake in thinking it was a good thing to reply to spams that have forged emails. That is irresponsible, and Barracuda should fix their product.

All ranting aside, if you're willing to work a little, I suspect there is a huge potential to fight spam if one is a victim of backscatter. Here are a couple of thoughts about useful information that could be exploited, provide there was some way to process it:

  • Email bounces arrive practically in "real time" from spam runs. As soon as the spammer starts hitting mail servers with her spam, the bounces of failed messages come in to the victim of the forged "From:" address.
  • Some of the bounces themselves contain full headers of the spam email. Most often, one can trace back the IP address to a spam-sending zombie.
  • A spam run will typically have the same subject of spam, or even the same "spamvertised" URL to a web page.
  • (if you have concrete ideas or resources about how to use this information, send me an email or post your ideas here in response)

There is a block-list for backscattering hosts at www.backscatterer.org. I have already contacted them, but they are only interested in my backscatter if I host an MX on UCEProtect.net's system. Apparently their backscatter-reporting is hard-coded from that system. Sadly, I would lose the backscatter if I were to move my email there, as it's coming into an email alias, which forwards to my Gmail system. By the way, Gmail does a great job of classifying spam, including backscattered messages.

You can report backscatter to Spamcop.net, and, in principle, the administrators of offending sites will get a SpamCop report. However, the link that SpamCop sends to them does a poor job of explaining the problem and the solution, and I don't think it has much affect. Sadly, a backscattering host will only get put on the SpamCop block-list if enough different people report it. So, if you're a victim of backscatter, you can make a difference by reporting it to SpamCop!

I report all backscatter (and other spams) to SpamCop fairly easily using a combination of Gmail, FreePOPs, Thunderbird and SpamCop's quick-report feature (which is free). See how to setup FreePOPs to download spam from your Gmail spam folder. In the interest of getting more people to report their backscatter, I would be happy to help you set up your system to do it easily. Please post your requests here, but don't identify your emails on this blog. If you want me to know specific info, you can email me at my Gmail address if you choose.

6 comments:

Paul Schmidt said...

You wrote that Yahoo was well administered to stop backscatter. As an emailer this may be true, but as a mail server administrator this is NOT the case.

Yahoo, when it sees spam, instead of replying with a rejected code in the response, sends a "deferred". This makes any mail server that is trying to send to yahoo hold the mail in their queue (usually 7 days.) Instead of being the "bad guy", Yahoo dumps all the responsibility back on the net instead of taking responsibility themselves.

Since they are inaccurate with their response messages, I would not call Yahoo well administored.

Spam Fighter said...

Paul,

I think I follow your description of what yahoo does. But I can't say I've investigated that.

However, I would say that any mail server forwarding spam is part of the problem. A huge percentage of spam is sent by zombies, so "deferring" it would be a great way to bog down the zombies. In my backscatter analyses, I have seen that most backscatter is sent by one zombie to one mail server, and rarely there is an intermediate mail server. I could argue that any intermediate mail server should easily identify zombies by 1) block lists or 2) dynamic IP lists.

dragonsmama said...

I use AOL for email and for several months have been getting what appears to be bulk 'returned mail' in an asian script I cannot read. AOL initially said it was my computer or anti-virus software, but after a complete change of computer (and receipt of bulk 'returned mail' when I was not connected to the internet) they are now saying it is backscatter. Although that appeared initially to make sense, what I do not understand is that at almost the same time as the 'Returned mail' starts to appear, if I look in my 'Sent' box, I see what looks like the 'original' emails suddenly appearing there - although the times on them indicate they were sent many hours earlier or even the previous day.
Is this still backscatter, and if so, why is it appearing also in my 'sent' box?
If this is not backscatter, why would it happen when I am not even connected to the internet (I had to wait for a new router for my new computer) and why would it happen on unconnected old then new computer?
AOL is being very unhelpful, so please can you let me know what is happening? You might have guessed, I am not a computer expert, but do not want to have to change my email address.

Spam Fighter said...

Dragonsmama,

If you're speaking of your AOL "sent" box, then it sounds like your AOL account is sending the email, and they're bouncing. Technically, this isn't backscatter, but just normal bounces.

As for why these items appear in the "Sent" box on AOL, it might be that someone else is using your account. Are these spam emails?

AOL should help you with this if they are indeed spams that were "Sent", since it implies that your AOL account is sending bulk messages without you knowing about it. That explains why your account sends out emails when you're not online.

The obvious thing to do immediately is change your AOL password, using a virus-free computer.

dragonsmama said...

Thank you for your answer. AOL is being very unhelpful - it has taken months for me to get even the answer of 'backscatter' from them, and I suspected it may be incorrect.
The emails cannot be coming from my keyboard as it does not have the 'correct' asian script - and I would not know how to go about getting it! I don't even know what language it is.
I don't think they can be coming from my computer hardware as they were also sent out in between disconnecting my old computer and the week later that my new one was connected to the internet.
I imagine they are spam emails - but as they are in this foreign script I have no idea what they are about!
I also suspected that someone else may be using my email account - but AOL deny this is happening. Yesterday it happened at exactly the same time that I was using my computer and logged in to my email account - can AOL be allowing two separate computers to be logged into the same email account at the same time?
I have tried changing my email password - however, when I try to do it, it just alters the password of the main account, not my subsidiary account - even though I have specifically logged in to my settings and it states that it is my email password that has been altered.
I am awaiting an answer (!) from AOL about why this password transfer is occuring.
However, I would be most grateful to hear your response. AOL insists it is backscatter and that I should just ignore it.

Spam Fighter said...

Hmmm... A great question to ask AOL is how to explain the Asian script mails in the "Sent" folder. Maybe they can tell you which IP address sent them.

As for origin of the spams causing the bounces, you might be able to find out more. Some bounce messages have the SMTP headers of the original email (that caused the bounce) included as MIME attachments. If some of the bounces have that info, you can do an analysis of that to find out the time and maybe the IP address of the origin of the message. It's like CSI stuff on an email. It's too complicated to do this through blog correspondence. Email me directly with the header info if you can find it. Or you can try this web page (I found with Google) that tells you how to analyze it: http://www.emailaddressmanager.com/tips/header.html